Commit 2d484087 authored Nov 04, 2018 by Florian Westphal Committed by Greg Kroah-Hartman Dec 13, 2019

netfilter: nf_tables: don't use position attribute on rule replacement



[ Upstream commit 447750f281abef547be44fdcfe3bc4447b3115a8 ]

Its possible to set both HANDLE and POSITION when replacing a rule.
In this case, the rule at POSITION gets replaced using the
userspace-provided handle.  Rule handles are supposed to be generated
by the kernel only.

Duplicate handles should be harmless, however better disable this "feature"
by only checking for the POSITION attribute on insert operations.

Fixes: 5e948466 ("netfilter: nf_tables: add insert operation")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 6ce317fd

net/netfilter/nf_tables_api.c

+7 −10

Original line number	Diff line number	Diff line
		@@ -2610,12 +2610,8 @@ static int nf_tables_newrule(struct net net, struct sock nlsk,

		if (chain->use == UINT_MAX)
		return -EOVERFLOW;
		}

		if (nla[NFTA_RULE_POSITION]) {
		if (!(nlh->nlmsg_flags & NLM_F_CREATE))
		return -EOPNOTSUPP;

		pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
		old_rule = __nft_rule_lookup(chain, pos_handle);
		if (IS_ERR(old_rule)) {
		@@ -2623,6 +2619,7 @@ static int nf_tables_newrule(struct net net, struct sock nlsk,
		return PTR_ERR(old_rule);
		}
		}
		}

		nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);